FilesExpand file tree

 main

/

dependabot-security-alert.yml

Copy path

View Runs

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

84 lines (74 loc) · 3.06 KB

 main

/

dependabot-security-alert.yml

Top

File metadata and controls

• Code
• Blame

84 lines (74 loc) · 3.06 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

on:

workflow_call:

inputs:

repo-name:

description: repo name (e.g. user/repo)

type: string

required: true

secrets:

app-id:

description: GitHub App ID

required: true

private-key:

description: GitHub App private key

required: true

slack-webhook:

description: Slack incoming webhook url

required: false

jobs:

dependabot-security-alert:

name: Edit Dependabot Security PR

runs-on: ubuntu-slim

if: github.actor == 'dependabot[bot]' && github.repository == inputs.repo-name

steps:

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0

id: app-token

with:

client-id: ${{ secrets.app-id }}

private-key: ${{ secrets.private-key }}

permission-contents: write

permission-issues: write

permission-pull-requests: write

permission-vulnerability-alerts: read

- name: Dependabot metadata

id: metadata

uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0

with:

github-token: ${{ steps.app-token.outputs.token }}

alert-lookup: true

- name: Create `security` label if it doesn't exist

if: steps.metadata.outputs.ghsa-id != ''

run: |

if ! gh label list --json name --jq '.[].name' | grep -qx "security"; then

gh label create "security" --color "ffc107" --description "Security related issues or PRs"

echo "[INFO] Created security label"

fi

env:

GH_TOKEN: ${{ steps.app-token.outputs.token }}

- name: Add security label and GHSA-ID (or CVE-ID if possible) to PR

if: steps.metadata.outputs.ghsa-id != ''

run: |

# Only prepend GHSA-ID or CVE-ID if the title does not already start with a GHSA or CVE prefix

if [[ ! "${PR_TITLE}" =~ ^\[(GHSA|CVE)-[0-9A-Za-z-]+\] ]]; then

# When multiple CVE identifiers exist for a GHSA advisory, we intentionally use a single CVE ID for the PR title prefix.

CVE_ID=$(gh api "/advisories/$GHSA_ID" --jq '.identifiers[] | select(.type=="CVE") | .value' 2>/dev/null || echo "")

if [ -n "${CVE_ID}" ]; then

PR_TITLE="[${CVE_ID}] ${PR_TITLE}"

else

PR_TITLE="[${GHSA_ID}] ${PR_TITLE}"

fi

fi

gh pr edit "$PR_URL" --title "${PR_TITLE}" --add-label "security"

env:

PR_URL: ${{ github.event.pull_request.html_url }}

PR_TITLE: ${{ github.event.pull_request.title }}

GH_TOKEN: ${{ steps.app-token.outputs.token }}

GHSA_ID: ${{ steps.metadata.outputs.ghsa-id }}

- name: Slack Notification (not success)

uses: act10ns/slack@d96404edccc6d6467fc7f8134a420c851b1e9054 # v2.2.0

if: "! success()"

continue-on-error: true

with:

status: ${{ job.status }}

webhook-url: ${{ secrets.slack-webhook }}